VYPR
← All advisories
High severityNVD Advisory· Published Jun 24, 2021· Updated Aug 3, 2024

Private files publicly accessible with Cloud Storage providers

CVE-2021-32717

Description

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shopware prior to 6.4.1.1 exposes private cloud storage files if the hashed URL is known, due to incorrect visibility settings.

Vulnerability

In Shopware versions prior to 6.4.1.1, private files stored in cloud storage providers (e.g., Amazon S3) are publicly accessible when the hashed URL is known. This occurs because the visibility configuration for cloud storage files is not correctly set; the visibility must be at the same level as type. The affected versions are all Shopware releases before 6.4.1.1. [1][3]

Exploitation

An attacker needs only to know the hashed URL of a private file. No authentication or special network position is required. The attacker can directly access the file via the URL. The vulnerability stems from the misconfiguration of cloud storage visibility settings, which fail to enforce private access. [1][3]

Impact

Successful exploitation results in unauthorized disclosure of private files stored in cloud storage. This can include sensitive customer data, order information, or other private content. The impact is a breach of confidentiality (information disclosure). [1][3]

Mitigation

Shopware released version 6.4.1.1 to fix the issue. Users can also install or update the Security plugin and run the command ./bin/console s3:set-visibility to correct cloud file visibilities. For Amazon S3, disabling public access to the bucket is recommended. The fix was published on 2021-06-24. [1][2][3]

References
  1. NVD - CVE-2021-32717
  2. NEXT-14744 - fix visibility setting in s3 storage fs · shopware/shopware@ba52f68
  3. Private files publicly accessible with Cloud Storage providers

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shopware/platformPackagist
< 6.4.1.16.4.1.1

Affected products

2

Patches

1
ba52f683372b

NEXT-14744 - fix visibility setting in s3 storage fs

https://github.com/shopware/platformDavid NeustadtMay 18, 2021via ghsa
commit
4 files changed · +135 0
  • changelog/_unreleased/2021-05-10-fix-visibility-setting-in-s3-storage-fs.md+10 0 added
    @@ -0,0 +1,10 @@
+---
+title: fix visibility setting in s3 storage fs
+issue: NEXT-14744
+author: d.neustadt
+author_email: d.neustadt@shopware.com 
+author_github: dneustadt
+---
+# Core
+* Changed setting of visibility from fallback config to nested `options` parameter as per documentation
+* Added `s3:set-visibility` CLI command for retroactively setting visibility of already stored objects
  • src/Core/Framework/Adapter/Command/S3FilesystemVisibilityCommand.php+112 0 added
    @@ -0,0 +1,112 @@
+<?php declare(strict_types=1);
+
+namespace Shopware\Core\Framework\Adapter\Command;
+
+use League\Flysystem\FilesystemInterface;
+use Shopware\Core\Framework\Adapter\Console\ShopwareStyle;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\ProgressBar;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class S3FilesystemVisibilityCommand extends Command
+{
+    protected static $defaultName = 's3:set-visibility';
+
+    /**
+     * @var FilesystemInterface
+     */
+    private $filesystemPrivate;
+
+    /**
+     * @var FilesystemInterface
+     */
+    private $filesystemPublic;
+
+    /**
+     * @var FilesystemInterface
+     */
+    private $filesystemTheme;
+
+    /**
+     * @var FilesystemInterface
+     */
+    private $filesystemSitemap;
+
+    /**
+     * @var FilesystemInterface
+     */
+    private $filesystemAsset;
+
+    public function __construct(
+        FilesystemInterface $filesystemPrivate,
+        FilesystemInterface $filesystemPublic,
+        FilesystemInterface $filesystemTheme,
+        FilesystemInterface $filesystemSitemap,
+        FilesystemInterface $filesystemAsset
+    ) {
+        parent::__construct();
+        $this->filesystemPrivate = $filesystemPrivate;
+        $this->filesystemPublic = $filesystemPublic;
+        $this->filesystemTheme = $filesystemTheme;
+        $this->filesystemSitemap = $filesystemSitemap;
+        $this->filesystemAsset = $filesystemAsset;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function configure(): void
+    {
+        $this
+            ->setDescription('Sets visibility for all objects in corresponding bucket of S3 storage.');
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $style = new ShopwareStyle($input, $output);
+
+        $style->warning('If both private and public objects are stored in the same bucket, this command will set all of them public.');
+        $continue = $style->confirm('Continue?');
+
+        if (!$continue) {
+            return 0;
+        }
+
+        $style->comment('Setting visibility to private in private bucket.');
+        $this->setVisibility($this->filesystemPrivate, $style, 'private');
+        $style->comment('Setting visibility to public in public bucket.');
+        $this->setVisibility($this->filesystemPublic, $style, 'public');
+        $style->comment('Setting visibility to public in theme bucket.');
+        $this->setVisibility($this->filesystemTheme, $style, 'public');
+        $style->comment('Setting visibility to public in sitemap bucket.');
+        $this->setVisibility($this->filesystemSitemap, $style, 'public');
+        $style->comment('Setting visibility to public in asset bucket.');
+        $this->setVisibility($this->filesystemAsset, $style, 'public');
+
+        $style->info('Finished setting visibility of objects in all pre-defined buckets.');
+
+        return 0;
+    }
+
+    private function setVisibility(FilesystemInterface $filesystem, ShopwareStyle $style, string $visibility): void
+    {
+        $files = array_filter($filesystem->listContents('/', true), function (array $object): bool {
+            return $object['type'] === 'file';
+        });
+        ProgressBar::setFormatDefinition('custom', '[%bar%] %current%/%max% -- %message%');
+        $progressBar = new ProgressBar($style, \count($files));
+        $progressBar->setFormat('custom');
+
+        foreach ($files as $file) {
+            if ($file['type'] === 'file') {
+                $filesystem->setVisibility($file['path'], $visibility);
+
+                $progressBar->advance();
+                $progressBar->setMessage($file['path']);
+            }
+        }
+
+        $progressBar->finish();
+    }
+}
  • src/Core/Framework/Adapter/Filesystem/FilesystemFactory.php+4 0 modified
    @@ -41,6 +41,10 @@ public function factory(array $config): FilesystemInterface
         $config = $this->resolveFilesystemConfig($config);
         $factory = $this->findAdapterFactory($config['type']);
 
+        if (isset($config['config']['options']['visibility'])) {
+            $config['visibility'] = $config['config']['options']['visibility'];
+        }
+
         $filesystem = new LeagueFilesystem(
             $factory->create($config['config']),
             ['visibility' => $config['visibility']]
  • src/Core/Framework/DependencyInjection/services.xml+9 0 modified
    @@ -593,6 +593,15 @@ base-uri 'self';
             <tag name="console.command" command="administration:dump:features"/>
         </service>
 
+        <service id="Shopware\Core\Framework\Adapter\Command\S3FilesystemVisibilityCommand">
+            <argument type="service" id="shopware.filesystem.private"/>
+            <argument type="service" id="shopware.filesystem.public"/>
+            <argument type="service" id="shopware.filesystem.theme"/>
+            <argument type="service" id="shopware.filesystem.sitemap"/>
+            <argument type="service" id="shopware.filesystem.asset"/>
+            <tag name="console.command"/>
+        </service>
+
         <service id="Shopware\Core\Framework\Adapter\Cache\CacheInvalidationSubscriber">
             <argument type="service" id="Shopware\Core\Framework\Adapter\Cache\CacheInvalidator"/>
             <argument type="service" id="Doctrine\DBAL\Connection"/>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.